trivia

another voice in the babble on the net

The UK Parliamentary petitions site is currently hosting what appears to be one of the most popular it has ever listed. The petition seeks to gain support for revocation of article 50 so that the UK can remain in the EU. Personal politics aside (though in the interests of transparency I should say that I am a passionate supporter of remain) I believe that this petition, or one very like it, was inevitable given our dear PM’s completely shambolic handling of the whole brexit fiasco. Her latest “appeal” to the “tired” public to get behind her version of brexit in which she lays the blame for the delay to getting her deal over the line in the lap of MPs was probably the last straw for many. It is certainly a risky strategy because she needs the support of those very MPs to get the agreement she wants.

Telling the public that she is “on [y]our side” and that she understands we have “had enough” is just asking for a kicking. So when the twitter hashtag #RevokeArticle50 pointed to the Parliamentary petition seeking the revocation of the whole sorry business it became almost inevitable that the public would respond appropriately. At one stage the petition signing rate was the highest ever seen.

Inevitably, however, the site could not cope with this demonstration of the will of the people and it slowed, and eventually crashed – repeatedly. When I went to sign the petition at around 16.00 today, it took me several attempts to get past the “ngnix 502 Bad Gateway” page and get a “thank you for signing” message.

Of course, unless I actually get the email message referred to, and I respond, then my signature won’t count. Right now though, the entire site is off line – but don’t worry, they are working on it.

OK, I admit to being dumb. I got another scam email yesterday of the same formulation as the earlier ones (mail From: me@mydomain, To: me@mydomain) attempting to extort bitcoin from me.

How? What had I missed this time?

Well, this was slightly different. Checking the mail headers (and my logs) showed that the email had a valid “Sender” address (some bozo calling themselves “susanne@mangomango.de”) so my earlier “check_sender_access” test would obviously have allowed the email to pass. But what I hadn’t considered was that the sender might then spoof the From: address in the data portion of the email (which is trivially easy to do).

“Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn’t own the MAIL FROM address according to $smtpd_sender_login_maps.”

Now since I store all my user details in a mysql database called “virtual_mailbox_maps” it is simple enough to tell postfix to use that database as the “smtpd_sender_login_map” and check the “From” address against that, That way only locally authenticated valid users can specify a local “From:” address. Why I missed that check is just beyond me.

(Note that I chose to use the “reject_unauthenticated_sender_login_mismatch” rather than the wider “reject_sender_login_mismatch” because I only care about outside unauthenticated senders abusing my system. I can deal with authenticated users differently…)

I mentioned in my previous post that I had recently received one of those scam emails designed to make the recipient think that their account has been compromised in some way and that, furthermore, that compromise has led to malware being installed which has spied on the user’s supposed porn habits. The email then attempts a classic extortion along the lines, “send us money or we let all your friends and contacts see what you have been up to.”

In the scam as described by El Reg, the sender tries to lend credence to the email by including the recipient’s password. As the Reg points out, this password is likely to have been harvested from a web site used in the past by the poor unsuspecting recipient. In my case, the sender didn’t include any password, but they did send the email to me from the email address targetted (so they sent email to “mick@domain” with sender “mick@domain”). Needless to say, I thought that this should not have been possible (except in the unlikely scenario that the extortionist actually had compromised my mail server). After all, my mail server refuses to relay from addresses other than my own networks, and all mail sent from my server must come from an authenticated user (using SASL authentication). My postfix sender restrictions looked like this:

That says that locally authenticated users can send mail anywhere, but we should reject the sending request when the MAIL FROM address specifies a domain that is not in fully-qualified domain form as is required by the RFC. This stops outsiders trying to send mail to us from non-existent or badly forged from addresses. The final permit allows checking to proceed to the next steps (the relay and recipient restrictions).

So what was going on?

Well, there was nothing in my restrictions to say that an outsider could not send to a local user (i.e. an email recipient on one of my domains). After all, that is part of the function of my mail system – it must accept (valid) email from the outside world aimed at my local users. But therein lay the problem. My mail connection checks (along with the “smtpd_helo”, “smtpd_relay” and “smtpd_recipient” restrictions enforced outbound checks and limited mail sending to outside domains from locally authenticated users, but inbound checks assumed (incorrectly as it turns out) that the sender domain was external to me (i.e. FROM someone@external.domain TO someone@internal.domain). Crucially I had ommitted to enforce any rule stopping someone sending FROM someone@internal.domain TO someone@internal.domain). On reflection that was dumb – and the “extortionist” had taken advantage of that mistake to try to fool me.

Fixing this is actually quite easy. Postfix allows the smtpd_sender_restrictions to include a variety of checks, one of which is “check_sender_access”. This enforces checks against a database of MAIL FROM address, domains, parent domains, or localpart@ specifying actions to take in each case. The database table contains three fields – domain-to-check, action-to-take, optional-message.

So I created a database of local domains called /postfix/localdomains thus:

first.local.domain REJECT Oh no you don’t. You’re not local!
second.local.domain REJECT Oh no you don’t. You’re not local!
third.local.domain REJECT Oh no you don’t. You’re not local!
etc

(I was tempted to add a rude message, but thought better of it…..)

Postfix supports a variety of different table types. You can find out which your system supports with the command “postconf -m”. I chose “hash” for my table. The local database file is created from the text table with the command “postmap /etc/postfix/localdomains”. Having done that I added the check to my sender_restrictions thus:

I have been running my own mail server now for well over a decade. Whilst the actual physical hardware (or actually VPS system) may have changed once or twice during that time, the underlying software (postfix and dovecot on debian) has not really changed all that much. However, what has changed over the last decade or so, is the expectation that mail systems will be much more robust, better managed, less insecure (no more “open relays”) and harder on spam than had been the case in the early days of wide takeup of email by the public. Ignoring the “free” offerings from the likes of google, microsoft and others, it would arguably be cheaper, and certainly easier, for me to simply pay for an external mail service by one of the many providers out there. It is pretty easy to find companies offering to host personal email for about a tenner or at most twenty pounds a year. Those “solutions” (as providers seem to love to call their products) usually give you decent anti-spam, A/V scanning, POP3S/IMAPS connectivity (or if you really must, a webmail interface) and can usually alias mail to your preferred domain – particularly if you buy a domain name with your email service. But they always have limitations that I don’t like. The most obvious ones are: restrictions on the number of actual email addresses (as opposed to aliases), limited storage (though that is becoming less of a problem these days), and artificial restrictions on attachment sizes. And I’m bloody minded. I like to control my own email. I run my own email service for the same reason I manage my own DNS, run my own webservers, manage my own wordpress installation, run my own XMPP server and VPNs and manage my own domestic local network with assorted servers hanging off it. I like control and I dislike the opportunity outsourced services have for providing third parties access to my data. My personal data.

Besides, a boy needs a hobby.

However, I do occasionally get one or two problems in mail delivery – though usually /to/ my system rather than /from/ my system. For example I still get the occasional spam or cruddy email which gets past my protection mechanisms. Indeed I recently received one of those ridiculous extortion scam emails purporting to come from my own email adddress – more of which later – but this post is about an outbound mail failure from me to a friend of mine with a btinternet.com account.

I routinely correspond by email with a bunch of long standing friends who once lived relatively close together but are now more widely geographically dispersed. The group (or sub groups in some cases) get together on occasion for holidays, outings and meals. For some odd reason, many of those friends of mine have AOL accounts (I know, I know, but try telling them that). In a list of about two dozen regular correspondents, about a quarter of those people use AOL. The majority of the rest use BT, hotmail and gmail with one or two minor providers or work based accounts. On occasion in the past I have had mail to those AOL based accounts refused by AOL on the spurious grounds that my mail looked like spam because it was aimed at about half a dozen separate AOL accounts all at once. Well, that’s what happens when you “reply-all” to a mail list. Sadly AOL never could figure this out. After a while I gave up emailing their postmaster explaining the problem (and it was /their/ problem, identical email to the individual accounts always got through) because I never, ever, received a reply.

But this is about BT, not AOL.

Members of the mail list are shortly to meet for the group’s annual Christmas meal (it is always late, but hey) and one member “volunteered” to arrange the gathering, find a venue, sort menus etc. Said member has a btinternet email account (@btinternet.com) and he circulated a menu seeking choices for the meal. My reply was refused by BT with a “hard” 554 message which was reported to me by my mail system as below:

Now this was decidedly odd, because not 10 days beforehand I had happily sent earlier mails to the same address when our volunteer was initially talking about venue and proposed dates for the gathering. Just to be certain I wasn’t at fault, I checked the advice given by BT on their mail site referred to by the bounce message. Now the only thing I do not have set up for my mail server is DKIM signing. Everything else is hunky-dory – Proper “From” address? check. SPF? check. Proper MX records? check. Fixed IP address? check. PTR record? check. Good reputation? check. Not blacklisted? check (mxtoolbox says I’m fine). Furthermore, I never send HTML email (which I abhor as an abominable bastardisation of proper email standards) so did not have any embedded images or other bloody silly links in my mail). So after trying once or twice more later in the day (and failing) I emailed the BT postmaster saying I was having a problem and pointing out that whilst I might not use Domain keys, there seemed to me to be little else wrong with my email. I didn’t expect an answer, but you have to try,

BT responded – and they responded quickly. I sent my notification, with the failure message, to the BT postmaster address timed at 17.16. At 17.23 I received a reply saying:

“Hi,
Can you please send an example of the failing email to [investigation-address]@btinternet.com.
Please do not forward the email as an attachment but resend it.
Please let “postmaster” know when this has been sent so we can check the email’s content and possible reason for thinking it is spam.

Thank You,”

Slightly stunned, I did as requested and a short time later (at half past midnight when I was asleep) I received another email from BT saying:

“Hi,
That email is scoring high as spam so I have reported it to our spam engine provider, I will email you again when I have some news.
Thank you,”

Sure enough, that same morning at 02.50, I received the following good news:

“Hello,

We have made a change that should stop the emails being scored as spam, this change is being rolled-out now so please try again later.

Thanks”

On reading this when I got up that day I resent my email and, sure enough, it got through. Way to go BT! I have never, ever received that kind of rapid response from any ISP anywhere in the world – and I quite often email “abuse@” network addresses when some toerag or particularly persistent ‘bot shows up in my logs trying to do things I don’t like.

However, as much as I would like to believe that BT fixed a problem simply to accomodate my mail system, I actually think that unlikely. Given that mail from my system to @btinternet.com addresses had been working fine up until a few days ago, I think it much more likely that BT mail administrators had made some recent change, perhaps in one of their spam filters, which caused sigificant volumes of inbound mail to be rejected. My email had then simply been caught up in that wider problem and they were receiving queries or complaints from other mail administrators and not just me. Be that as it may, they still responded correctly, and efficiently as they moved to rectify whatever was causing the problem. So, my congratulations, and heartfelt thanks to the BT postmaster team for actually doing the sort of job that postmasters are supposed to, but rarely do properly.

Permanent link to this article: https://baldric.net/2019/01/23/congratulations-to-bt/

I normally post a “happy birthday trivia” message at this time of year. Indeed I have been doing this for 12 years now. Of late my posting has become less frequent which is somewhat odd since I now have much more free time than I had back when I started trivia. But no matter – some things are much more important than blogging.

This year I was struck by a BBC article by the poet Ian McMillan which I read yesterday. The article recalls how McMillan briefly met a chap called “Brian” at Jersey airport on a breezy night in autumn many years ago. McMillan was apparently very worried about the impending flight but was reassured by Brian that all would be well. After chatting for a short while and just before boarding the flight, Brian and McMillan swapped addresses and said that they would stay in touch. Unfortunately McMillan then lost Brian’s address. But Brian obviously did not lose McMillan’s address because each Christmas thereafter he sent a card, despite receiving nothing back.

The article ends with McMillan saying:

“Always keep the address. Always remember where people are, and then you can translate those moments of the kindness of strangers into a winter scene and a first class stamp. “

When I posted yesterday I noticed that there was a new version (5.0) of wordpress available for installation. So I decided to spend a short while today upgrading as I always do when a new software version is released. But I hit a snag – a big one.

The new version of wordpress includes a completely re-written editor called “gutenberg”. That editor fails quite spectacularly for many users. In my case I could not edit any existing posts or pages and wordpress threw up the error message shown below:

No “attempts at recovery” were successful. So I was left with a broken upgrade and no way to edit any of my existing posts. Not good.

Now I always make backups before any upgrade so I thought I’d just roll back to the earlier version and reinstall the database and then wait until wordpress fixed whatever was wrong (probably in a 5.1 release). However, since I’d already gone to the trouble of completing the upgrade I thought I’d first check to see how many others had hit the same snag and see if there was a workaround. It seems the error is widespread. There is some differing advice online as to whether the error is caused by a conflict with some plugin or other, but since I don’t use many plugins, and certainly not the ones which seemed to get most of the blame, that didn’t seem to be the case for me. Certainly I couldn’t remove a plugin I don’t have.

There is, however, a fix released by wordpress in the shape of a plugin called “classic editor”. This plugin replaces the new (broken) editor with the old, (working) one. Once I’d installed that I was good to go again.

But, and this is a big but, the fact that the plugin has had over 900,000 downloads to date suggests very strongly that a) the new editor is seriously borked, and b) many users, like me, are happy with the classic editor.

Does this remind anyone of Microsoft?

Permanent link to this article: https://baldric.net/2018/12/12/wordpress-5-0-editor-error/

It’s not often that I find myself agreeing with GCHQ, but ex GCHQ Director Robert Hannigan’s recent comments in an interview with the BBC Today programme struck a chord.

Hannigan headed GCHQ from April 2014 until his resignation for family reasons last year. Whilst in post he pushed for greater transparency at the SIGINT agency. He was responsible for setting up the National Cyber Security Centre in 2017. And in 2016 he argued publicly in favour of strong encryption and against the idea of “back doors” in crypto software. So, arguably, Hannigan is more liberal and open than is common in GCHQ. Certainly his approach was very different to that of his predecessors Iain Lobban or David Pepper.

In his Today interview, Hannigan said of Facebook:

“This isn’t a kind of fluffy charity providing free services. It’s is a very hard-headed international business and these big tech companies are essentially the world’s biggest global advertisers, that’s where they make their billions.

“So in return for the service that you find useful they take your data… and squeeze every drop of profit out of it.”

Asked if Facebook was a threat to democracy, Hannigan said:

“Potentially yes. I think it is if it isn’t controlled and regulated.

“But these big companies, particularly where there are monopolies, can’t frankly reform themselves. It will have to come from outside.”

So he is arguing for greater democratic control of the behemoth which is Facebook (and by extrapolation, other similar companies such as Google). That may put him at odds with many in the US.

More interestingly though, Hannigan also went on to comment on the Chinese Telecoms giant Huawei.

Huawei has been in the news a lot recently. Last week (7 December) Meng Wanzhou, Huawei’s chief financial officer and the daughter of its founder, was detained at Vancouver airport on a US extradition request. In November, New Zealand reported that it had decided to follow the lead of the US and Australia in barring Huawei from involvement in its 5G networks. Canada is reportedly carrying out a security review of Huawei telecoms equipment, and in the UK, BT has said that it will be removing Huawei kit from the core of its 5G network. All these decisions are said to flow from fears that China may be using Huawei as a proxy so it can spy on rival nations.

Hannigan had this to say about Huawei:

“My worry is there is a sort of hysteria growing at the moment about Chinese technology in general, and Huawei in particular, which is driven by all sorts of things but not by understanding the technology or the possible threat. And we do need a calmer and more dispassionate approach here.”

He went on to say “no malicious backdoors” had been found in Huawei’s systems, although there were concerns about the firm’s approach to cyber security and engineering.

He added:

“The idea… that we can cut ourselves off from all Chinese technology in the future, which is not just going to be the cheapest – which it has been in the past – but in many areas the best, is frankly crazy.”

Indeed. It is worth remembering that in 2005 BT selected Huawei as a preferred supplier for equipment for its 21CN network – much to the chagrin of the obvious competitors. Marconi never recovered from the loss of sales to BT who took the decision on the entirely hard headed basis of best value for money (i.e. cost).

At the time of the decision by BT to go with Huawei there were lots of rumblings about “security concerns”. Those rumblings have never gone away and the UK is still under pressure from the US to ditch Huawei. But it could be argued that the biggest reason for this is actually a protectionist desire by the US to see its main communications infrastructure companies (Cisco, Juniper et al) getting business rather than the newcomers from China.

And who is to say that equipment from those US companies poses any less of a security threat than that from Huawei? I’d guess that the NSA would much prefer to see US equipment deployed across the world’s Telcoms Companies – for fairly obvious reasons – the very same reasons which are adduced to Huawei.

Permanent link to this article: https://baldric.net/2018/12/11/well-i-never/

Back in June 2015 I decided to force all connections to trivia over TLS rather than allow plain unencrypted connections. I decided to do this for the obvious reason that it was (and still is) a “good thing” (TM). In my view, all transactions over the ‘net should be encrypted, preferably using strong cyphers offering perfect forward secrecy – just to stop all forms of “bad guys” snooping on what you are doing. Of course, even in such cases there are still myriad ways said “bad guys” can get some idea what you are doing (unencrypted DNS tells them where you are going for example) but hey, at least we can make the buggers work a bit harder.

Unfortunately, as I soon discovered, my self-signed X509 certificates were not well received by RSS aggregators or by some spiders. And as Brett Parker at ALUG pointed out to me, the algorithms used by some (if not all) of the main web spiders (such as Google) would down rank my site on the (in my view laughably specious) grounds that the site could not be trusted.

As I have said before, I’m with Michael Orlitzky, both in his defence of self-signed certificates and his distaste for the CA “terrorists”. I think the CA model is fundamentally broken and I dislike it intensely. It is also, in my view, completely wrong to confuse encryption with identification and authentication. Admittedly, you might care about the (claimed) identity of an email correspondent using encryption (which is why PGP’s “web of trust” exists – even though that too is flawed) or whether the bank you are connecting to is actually who it says it is. But why trust the CA to verify that? Seriously, why? How did the CA verify that the entity buying the certificate is actually entitled to identify itself in that way? Why do you trust that CA as a third party verifier of that identity? How do you know that the certificate offered to your browser is a trustworthy indicator of the identity of the site you are visiting? How do you know that the certificate exchange has not been subject to a MITM attack? How do you know that your browser has not been compromised?

You don’t know. You can’t be sure. You simply trust the nice big green padlock.

Interestingly, banks, and I am sure other large organisations which are heavily regulated, are now beginning to add features which give more feedback to the end user on their identity during transactions. I recently applied for a new zero interest credit card (I like the idea of free money). In addition to the usual UID, password and security number requested of me (in order to identify me to them) the bank providing that card asked me to pick a “personal image” together with a personally chosen secure phrase known only to me in order that they could present those back to me to identify them to me. I am instructed not to proceed with any transaction unless that identification is satisfactory.

So even the banks recognise that the CA model is inadequate as a means of trusted identification. But we still use it to provide encryption.

For some time now browsers have thrown all sorts of overblown warnings about “untrusted” sites which offer self-signed certificates such as the ones I have happily used for years (and which I note that Mike Orlitzky still uses). As I have said in the past, that is simply daft when the same browser will happily connect to the same site over an unencrypted plain HTTP channel with no warning whatsoever. Now, however, there is a concerted effort (started by Google – yes them again) to move to warning end users that plain HTTP sites are “insecure”. Beginning in July 2018 (that’s now) with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure” (sigh). And where Google goes with Chrome, Mozilla, Microsoft and Apple will surely follow with Firefox, Edge and Safari. As much as I may applaud the move to a more fully encrypted web, I deplore the misuse of the word “secure” in this context. Many small sites will now face balkanisation as their viewers fall away in the face of daft warnings from their browsers. Worse, the continued use of warnings which may be ignored by end users (who, let’s face it, often just carry on clicking until they get what they want to see) will surely desensitise those same users to /real/ security warnings that they should pay attention to. Better I feel to simply warn the user that “access to this site is not encrypted”. But what do I know?

I write articles on trivia in the expectation that someone, somewhere, will read them. Granted, blogging is the ultimate form of vanity publishing, but I flatter myself that some people genuinely may find some of my “how-to” style articles of some use. Indeed, I know from my logs and from email corresondence that my articles on VPN usage for example are used and found to be useful. It would be a shame (and largely pointless) to continue to write here if no-one except the hardiest of souls persistent enough to ignore their browsers ever read it. Worse, of course, is the fact that for many people, Google /is/ the internet, They turn to Google before all else when searching for something. If that search engine doesn’t even index trivia, then again I am wasting my time. So, reluctantly, I have decided now is the time to bite the bullet and apply a CA provided TLS certificate to trivia. Some of my more perceptive readers may have already noticed that trivia now defaults to HTTPS rather than plain HTTP. Fortunately, letsencrypt, offers free (as in beer) certificates and the EFF provides an automated system of both installation and renewal of the necessary certificates. So I have deployed and installed a letsencrypt certificate here.

I still don’t like the CA model but, like Cnut the Great (and unlike his courtiers), I recognise my inability to influence the tides around me.

[Postscript]

Note that in order to ensure that I do not get a browser warning about “mixed content”, in addition to the necessary blog and lighttpd configuration changes I have run a global search and replace of all “http://” by “https://” on trivia. Whilst this now gives me a satisfyingly good clear green A+ on the SSL Labs site, it means that all off-site references which may have previously pointed to “http://somewhere.other” will now necessarily point to “https://somewhere.other”. This may break some links where the site in question has not yet moved to TLS support. If that happens, you may simply remove the trailing “s” from the link to get to the original site. Of course, if that still doesn’t work, then the link (or indeed entire site) may have moved or disappeared. It happens.

Permanent link to this article: https://baldric.net/2018/07/07/re-encrypting-trivia/

In 1909, Franz Kafka wrote the “Inclusion of Private Automobile Firms in the Compulsory Insurance Program” as part of “The Office Writings”. His experience of tortuous bureaucracy in Insurance and elsewhere was later reflected in one of his most famous novels “Der Process” (known in English translation as “The Trial”).

Back in October last year I bought another motorcycle to go with my GSX 1250. I’d just sold three other older bikes and felt the need to fill up the resultant hole in my garage. Besides, a man can never have too many motorcycles. At the time I bought the new Yamaha I spoke to my insurers about getting it added to my existing policy. Unfortunately they had recently changed their systems and I could no longer have one policy covering both bikes. So I took out a new separate policy. Oddly enough, that policy cost me twice as much as I paid for cover on the GSX, a bike with over twice the power and a lot more grunt than my new Yamaha. I was told that whilst /I/ was still the same risk, the underwriters assumed that my Yamaha was a riskier vehicle to insure. The ways of insurers are odd indeed and beyond the ken of mortal man.

For the past few months, both my bikes have been wrapped up warm and dry in my garage awaiting a change in the weather so that I no longer have to use the car for everything. This turns out to be a very good thing indeed.

A couple of days ago I received a letter from the Motor Insurer’s Bureau and DVLA. That letter, headed “Stay Insured, Stay Legal” gave the registration number of my Yamaha and stated, in red, “Do not ignore this letter” and went on to say “To avoid a penalty, you will need to take action immediately”. “The record of insurance for your vehicle [REG NO] does not appear on the Motor Insurance Database (MID) and this means if you take no action, you will get a fine.”

The letter also explained that it was my responsibility, as registered keeper, to ensure that my bike was insured. If I was certain that my bike was insured, I was instructed to “contact [my] Insurance provider” since “MIB and DVLA cannot update your records on the MID”.

Pretty worrying and very specific about what I needed to do. So, firstly I checked the MID at “askmid.com” and sure enough, my bike did not appear.

I then ‘phoned my Insurers who confirmed that I was insured and had been since October of last year when I took out the policy. I explained that I knew that was the case because I had the policy in front of me. But that didn’t help me because both DVLA and the MIB believed otherwise. Worse, the MID is used by the Police who will therefore similarly believe otherwise. Worse even than that, is the fact that an extract of the MIB database is supplied for use by ANPR cameras across the UK (See www.mib.org.uk). This means that I only have to pass an ANPR (which I do – a lot) whilst riding that particular bike to almost guarantee a police stop. I therefore asked my insurers to do what the MIB suggested and update my records. No can do, say my insurers. According to their systems I /am/ already on the MIB. After several, rather fruitless conversations (they called me back, I called them again) they suggested that I call the MIB. I explained again that the MIB had clearly stated that /they/ could do nothing, it was down to my insurer and them alone to ensure that my records were correct. Furthermore, the askmid website reinforces the message that “askMID and MIB do not sell insurance nor can we update the Motor Insurance Database (MID). These services are provided by your chosen insurer or broker”.

Nevertheless, since I was getting nowhere with my insurer, I agreed to try to speak to the MIB and, if necesssary, get them to talk to my insurer. Here, dear reader, is where the situation spirals further into the absurd. The letter from the MIB gives a contact telephone number which is completely automated. That advice line (you know the type, “press 1 for this option, 2 for that” etc.) eventually gave me the advice I had already received from the MIB letter and the askmid website – viz: “We cannot do anything, you must talk to your insurer”. So I went back to my insurer. You will not be surprised to read that my insurer, whilst sympathetic and understanding felt that they had done their bit and the fault lay elsewhere.

Now, as a paying customer of a (compulsory) service I don’t care where the fault lies. My only point of leverage is with my insurer. I pay them for a service which does not simply stop with them issuing cover. They must also ensure that the relevant databases are kept up to date. This requirement is laid upon them by Statutory Instrument no 37 of 2003 – “The Motor Vehicles (Compulsory Insurance) (Information Centre and Compensation Body) Regulations 2003”.

The person I spoke to on my third, or possibly fourth, conversation with my Insurer suggested that in order to show that I /was/ fully insured I should carry a copy of my policy with me at all times when riding my bike.

This completely misses the point. It is a legal requirement for my bike’s records on the MIB database to be correct. Only my Insurer can do that. If those records are not correct, I face the almost certain chance of being stopped by the police. Now whilst I can (if I remember to “carry my papers” in the correct Orwellian manner) show the Officers stopping me that I /am/ insured, that will have wasted my time and the Police Officers’ time.

Not good. Not good at all. I’m sure Kafka would have understood my frustration.

And guess what may happen when the time comes for me to renew my insurance – on all my vehicles.

I’m a couple of days late this year. I normally post on Christmas Eve, trivia’s birthday, but hey, I’ve been busy (it goes with the territory at this time of year if you are a grandparent). This year I thought I would depart from my usual topic(s) and post a couple of pictures marking the occasion. So here you go.

Last year my lady gave me a rather interesting christmas present – a Mr Potato Head, but home made.

Not content to leave the joke alone, this year she went slightly upmarket and gave me a Mr Pineapple Head.

I’m sure she loves me really. In fact I know that she does. She made the toadstool cake below for our daughter’s boys, and hey, she really does love those boys.

Merry Christmas to all my readers, wherever you are (and oddly enough, a lot of you appear to be in China).

Permanent link to this article: https://baldric.net/2017/12/26/merry-christmas-2017/

I use email fairly extensively for my public communication but I use XMPP (with suitable end-to-end encryption) for my private, personal communication. And I use my own XMPP server to facilitate this. But as I have mentioned in previous posts my family and many of my friends insist on using proprietary variants of this open standard (facebook, whatsapp etc. ad nauseam). I was thus amused to note that I am not alone in having difficulty in keeping track of “which of my contacts use which chat systems“.

(My thanks, as ever, to Randall Munroe over at XKCD.)

I must find a client which can handle all of my messaging systems. Better yet, I’d like one which worked, and seamlessly synchronised, across my mobile devices and my linux desktop. Even better again, such a client should offer simple (i.e. easy to use) e-to-e crypto and use an open server platform which I can manage myself.

Proprietary systems suck.

Permanent link to this article: https://baldric.net/2017/10/14/multilingual-chat/

The ‘net is a truly wondrous space. I can’t recall exactly how I stumbled across the “International Sliderule Museum” but it is such a wonderful resource devoted to a tool which most people under the age of 40 will never have used that I just had to post a link to it.

Enjoy.

Permanent link to this article: https://baldric.net/2017/09/30/geeks-rule/

So,”real people” don’t care about privacy? All they really want is ease of use and a pretty GUI so that they can chat to all their friends on-line? Only “the enemy” (who is that exactly anyway?) needs encryption? Excuse me for asking, but what have you been smoking? Does the Home Office know about that?

I’m a real person. And I care deeply about privacy. I care enough to fund both my own Tor node and various openVPN servers dotted around the world just to get past your ludicrous attempts at gratuitous surveillance of my (and my family’s) routine use of the ‘net. I care about the security and privacy of my transactions with various commercial enterprises, including my bank (which is why I expect them to use TLS on their website). I care about privacy when I correspond with my Doctor and other professionals. I care about privacy when I use an on-line search engine (which, incidentally, is not Google). I care about privacy because privacy matters. I have the right to freedom of thought and expression. I have the right to discuss those thoughts with others of my choice – when I choose and how I choose. You may not like that, but it’s a fact of life. That doesn’t make me “the enemy”. Get over it.

Back in January 2011, I posted a brief note about a site hosted at the domain “ismycomputeroff.com“. I have just had occasion to look again at that site and found that the domain is now definitely off. It is parked at sedo and is up for sale at the ludicrous price of 599 euros.

Tell you what, you can have my “theinternetisoff.net” domain for the bargain price of half that – after all, it only cost me about a tenner.

Permanent link to this article: https://baldric.net/2017/06/06/it-is-now/

At around 22.30 last Monday, Manchester was subjected to an horrific attack at a pop concert. As the world now knows, a suicide bomber deliberately targeted young people and their friends and families as they were leaving a concert by the young pop singer Ariana Grande. In that attack, 22 people, including children as young as 8 years old lost their lives. Many, many more received life changing injuries.

This is the first confirmed suicide bombing attack in the UK since 7 July 2005. On that day, 12 years ago, I was working in London. I can vividly recall the aftermath of that attack. Shock, horror, disbelief, later turning to anger. But I also vividly recall the reactions of Londoners and visitors to London I met, talked to or simply listened to over the days that followed. Only a few days after the 7th I was travelling by bus to a meeting when quite unbidden a middle aged American couple, obviously tourists, told me and everyone else on the bus that they shared our pain and that they were praying for us. I am not a religious man, indeed, I have no faith whatsoever, but I was deeply moved by that couple’s sincerity. Later, towards the end of July, my wife and I were travelling by Tube towards St Pancras on our way to Paris for our wedding anniversary. The driver of that Tube welcomed us (and everyone else) aboard the “up yours al-Qaeda express”. This show of defiance in the face of horror actually raised a number of smiles from those around us. London survived, Londoners endured.

The citizens of Manchester are now all facing profound shock and grief. That shock and grief will also be felt by anyone who has any shred of humanity within them. London was bad – 52 people lost their lives in that series of co-ordinated attacks. But somehow, Manchester feels worse, much worse. The London bombers targeted morning Tube and bus travellers – mainly commuters, some of whom were late for work because of earlier rail disruption that day. They were a soft target. But the Manchester bombing was callously and deliberately aimed at the ultimate soft target – kids; youngsters and their families emerging from what should have been a wonderful night out. Kids simply enjoying themselves at a concert many would have been planning for and looking forward to for months. Ariane Grande’s fanbase is primarily young women and girls. The attacker would have known that and yet he deliberately chose to detonate his bomb at that time and that place. He, and any accomplices he may have had, deserve nothing but our contempt. Manchester will survive, and Mancunians will endure. They have faced this before in the IRA truck bombing in June 1996. That attack didn’t break them. This one won’t either.

Meanwhile, everyone must grieve for the loss of so many young lives in such a pointless, pitiless attack. My thoughts, and those of my family, are with Manchester.

Permanent link to this article: https://baldric.net/2017/05/25/monday-in-manchester/

With the passage into law of the iniquitous Investigatory Powers (IP) Bill in the UK at the end of November last year, it is way past time for all those who care about civil liberties in this country to exercise their right to privacy.

The new IP Act permits HMG and its various agencies to surveil the entire online population. The Act actually formalises (or in reality, legalises) activity which has long gone on in this country (as in others) in that it gives LEAs and others a blanket right of surveillance.

“An Act to make provision about the interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information; to make provision about the treatment of material held as a result of such interception, equipment interference or acquisition or retention; to establish the Investigatory Powers Commissioner and other Judicial Commissioners and make provision about them and other oversight arrangements; to make further provision about investigatory powers and national security; to amend sections 3 and 5 of the Intelligence Services Act 1994; and for connected purposes.”

“is one of the most extreme surveillance laws ever passed in a democracy. Its impact will be felt beyond the UK as other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance regimes.”

Liberty, which believes the Act breeches the public’s rights under the Human Rights Act, is challenging the Act through the Courts. That organisation says:

“Liberty will seek to challenge the lawfulness of the following powers, which it believes breach the public’s rights:

– Bulk hacking – the Act lets police and agencies access, control and alter electronic devices like computers, phones and tablets on an industrial scale, regardless of whether their owners are suspected of involvement in crime – leaving them vulnerable to further attack by hackers.

– Bulk interception – the Act allows the state to read texts, online messages and emails and listen in on calls en masse, without requiring suspicion of criminal activity.

– Bulk acquisition of everybody’s communications data and internet history – the Act forces communications companies and service providers to hand over records of everybody’s emails, phone calls and texts and entire web browsing history to state agencies to store, data-mine and profile at its will.

This provides a goldmine of valuable personal information for criminal hackers and foreign spies.

– “Bulk personal datasets” – the Act lets agencies acquire and link vast databases held by the public or private sector. These contain details on religion, ethnic origin, sexuality, political leanings and health problems, potentially on the entire population – and are ripe for abuse and discrimination.”

ProtonMail, a mail provider designed and built by “scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online.” announced on Thursday 19 January that they will be providing access to their email service via a Tor onion site, accessible only over the Tor anonymising network. The ProtonMail blog entry announcing the new service says:

“As ProtonMail has evolved, the world has also been changing around us. Civil liberties have been increasingly restricted in all corners of the globe. Even Western democracies such as the US have not been immune to this trend, which is most starkly illustrated by the forced enlistment of US tech companies into the US surveillance apparatus. In fact, we have reached the point where it simply not possible to run a privacy and security focused service in the US or in the UK.

At the same time, the stakes are also higher than ever before. As ProtonMail has grown, we have become increasingly aware of our role as a tool for freedom of speech, and in particular for investigative journalism. Last fall, we were invited to the 2nd Asian Investigative Journalism Conference and were able to get a firsthand look at the importance of tools like ProtonMail in the field.

Recently, more and more countries have begun to take active measures to surveil or restrict access to privacy services, cutting off access to these vital tools. We realize that censorship of ProtonMail in certain countries is not a matter of if, but a matter of when. That’s why we have created a Tor hidden service (also known as an onion site) for ProtonMail to provide an alternative access to ProtonMail that is more secure, private, and resistant to censorship.”

So, somewhat depressingly, the UK is now widely seen as a repressive state, willing to subject its citizens to a frighteningly totalitarian level of surveillance. Personally I am not prepared to put up with this without resistance.

Snowden hype notwithstanding, HMG does not have the resources to directly monitor all electronic communications traffic within the UK or to/from the UK, so it effectively outsources that task to “communications providers” (telcos for telephony and ISPs for internet traffic). Indeed, the IP act is intended, in part, to force UK ISPs to retain internet connection records (ICRs) when required to do so by the Home Secretary. In reality, this means that all the major ISPs, who already have relationships with HMG of various kinds, will be expected to log all their customer’s internet connectivity and to retain such logs for so long as is deemed necessary under the Act. The Act then gives various parts of HMG the right to request those logs for investigatory purposes.

Given that most of us now routinely use the internet for a vast range of activity, not limited just to browsing websites, but actually transacting in the real world, this is akin to requiring that every single library records the book requests of its users, every single media outlet (newsagents, bookshops, record shops etc.) records every purchase in a form traceable back to the purchaser, every single professional service provider (solicitors, lawyers, doctors, dentists, architects, plumbers, builders etc.) record all activity by name and address of visitor. All this on top of the already existing capability of HMG to track and record every single person, social media site or organisation we contact by email or other form of messaging.

Can you imagine how you would feel if on every occasion you left your home a Police Officer (or in fact officials from any one of 48 separate agencies, including such oddities as the Food Standards Agency, the NHS Business Services Authority or the Gambling Commission) had the right, without a warrant or justifiable cause, to stop you and search you so that (s)he could read every piece of documentation you were carrying? How do you feel about submitting to a fishing trip through your handbag, briefcase, wallet or pockets?

I have no problem whatsoever with targeted surveillance, but forgive me if I find the blanket unwarranted surveillance of the whole populace, on the off-chance it might be useful, completely unacceptable. What happened to the right to privacy and the presumption of innocence in the eyes of the law? The data collected by ISPs and telcos under the IP act gives a treasure trove of information on UK citizens that the former East German Stasi could only have dreamed about.

Now regardless of whether or not you trust HMG to use this information wisely, and only for the reasons laid out under the Act, and only in the strict circumstances laid out in the Act, and only with the effective scrutiny of “independent” oversight, how confident are you that any future administration would be similarly wise and circumspect? What is to stop a future, let us suppose, less enlightened or liberal administration, misusing that data? What happens if in future some act which is currently perfectly legal and permissible, if of somewhat dubious taste, morality and good sense (such as, say, reading the Daily Mail online) were to become illegal? What constraint would there be to prevent a retrospective search for past consumers of such dubious material in order to flag them as “persons of interest”?

And even if you are comfortable with all of that, how comfortable are you with the idea that organised crime could have access to all your personal details? Given the aggregation of data inherent in the requirement for bulk data collection by ISPs, those datasets become massive and juicy targets for data theft (by criminals as as well as foreign nation states). And if you think that could not happen because ISPs and Telcos take really, really, really good care of their customer’s data, then think about TalkTalk or Plusnet or Three or Yahoo.

And they are just a few of the recent ones that we /know/ about.

So long as I use a UK landline or mobile provider for telephony, there is little I can do about the aggregation of metadata about my contacts (and if you think metadata aggregation doesn’t matter, take a look at this EFF note). I can, of course, and do, keep a couple of (cash) pre-paid SIM only mobile ‘phones handy – after all, you never know when you may need one (such as perhaps, in future when they become “difficult” to purchase). And the very fact that I say that probably flags me as suspicious in some people’s minds. (As an aside, ask yourself what comes to mind when you think about someone using a cash paid, anonymous, second hand mobile ‘phone. See? I must be guilty of something. Notice how pernicious suspicion becomes? Tricky isn’t it?) Nor can I do much about protecting my email (unless I use GPG, but that is problematic and in any case does not hide the all important metadata in the to/from/date/subject headers). Given that, I have long treated email just as if it were correspondence by postcard, though somewhat less private. For some long time I used to routinely GPG sign all my email. I have stopped doing that because the signatures meant, of course, that I had no deniability. Nowadays I only sign (and/or encrypt) when I want my correspondents to be sure I am who I say I am (or they want that reassurance).

But that does not mean I think I should just roll over and give up. There is plenty I can do to protect both myself and my immediate family from unnecessary, intrusive, unwarranted and unwanted snooping. For over a year now I have been using my own XMPP server in place of text messaging. I have had my own email server for well over a decade, and so long as I am conversing there with others on one of my domains served by that system, then that email is pretty private too (protected in transit by TLS using my own X509 certificates). My web browsing has also long been protected by Tor. But all that still leaves trails I don’t like leaving. I might, for example, not want my ISP to even know that I am using Tor, and in the case of my browsing activity it becomes problematic to protect others in my household or to cover all the multiple devices we now have which are network connected (I’ve actually lost count and would have to sit down and list them carefully to be sure I had everything covered).

What to do? The obvious solution is to wrap all my network activity in a VPN tunnel through my ISP’s routers before I hit the wider internet. That way my ISP can’t log anything beyond the fact that I am using a VPN. But which VPN to use? And should I go for a commercial service or roll my own? Bear in mind that not all VPNs are created equal, nor are they all necessarily really private or secure. The “P” in VPN refers to the ability to interconnect two separate (probably RFC 1918) private networks across a public untrusted network. It does not actually imply anything about the end user’s privacy. And depending upon the provider chosen and the protocols used, end user privacy may be largely illusory. In the worst case scenario, depending upon the jurisdiction in which you live and your personal threat model, a badly chosen VPN provider may actually reduce privacy by drawing attention to the fact that you value that privacy. (As an aside, using Tor can also have much the same effect. Indeed, there is plenty of anecdotal evidence to suggest that Tor usage lights you up like a christmas tree in the eyes of the main GPAs.)

Back in 2015, a team of researchers from the Sapienza University of Rome and Queen Mary University of London published a paper (PDF) entitled “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”. That paper described the researcher’s findings from a survey of 14 of the better known commercial VPN providers. The teams chose the providers in much the same way you or I might do so – they searched on-line for “best VPN” or “anonymous VPN” and chose the providers which came highest or most frequently in the search results. The paper is worth reading. It describes how a poor choice of provider could lead to significant traffic leakage, typically through IPV6 or DNS. The table below is taken from their paper.

The paper describes some countermeasures which may mitigate some of the problems. In my case I disable IPV6 at the router and apply firewall rules at both the desktop and VPS end of the tunnel to deny IPV6. My local DNS resolver files point to the OpenVPN endpoint (where I run a DNS resolver stub) for resolution and both that server and my local DNS resolvers (dnsmasq) point only to opennic DNS servers. It may help.

There are reports that usage of commercial VPN providers has gone up since the passage of the IP act. Many commercial VPN providers will be using the passage of the act as a potential booster for their services. And there are plenty of VPN providers about – just do what the Sapienza and Queen Mary researchers did and search for “VPN Provider” or “VPN services” to get lots of different lists, or take a look at lists provided by such sites as PrivacyTools or BestVPN. One useful point about the better commercial providers is that they usually have substantial infrastructure in place offering VPN exit points in various geographic locations. This can be particularly useful if you want to appear to be based in a particular country. Our own dear old BBC for example will block access to some services if you are not UK based (or if you are UK based and try to access services designed for overseas users). This can be problematic for UK citizens travelling overseas who wish to view UK services. A VPN with a UK exit gets around that problem. VPN users can also use local exits when they wish to access similarly (stupidly) protected services in foreign locales (the idiots in the media companies who are insistent on DRM in all its manifest forms are becoming more than just tiresome).

Some of the commercial services look better than others to me, but they all have one simple flaw as far as I am concerned. I don’t control the service. And no matter what the provider may say about “complete anonymity” (difficult if you want to pay by credit card) or “no logs”, the reality is that either there will be logs or the provider may be forced to divulge information by law. And don’t forget the problem of traffic leakage through IPV6 or DNS noted above. One further problem for me in using a commercial VPN provider rather than my own endpoint(s) is that I cannot then predict my apparent source IP address. This matters to me because my firewall rules limit ssh access to my various servers by source IP address. If I don’t know the IP address I am going to pop out on, then I’m going to have to relax that rule. I choose not to. I have simply amended my iptables rules to permit access from all my VPN endpoints.

The goldenfrog site has an interesting take on VPN anonymity. (Note that Goldenfrog market their own VPN service called “VyprVPN” so they are not entirely disinterested observers, but the post is still worth reading nevertheless). If you are simply concerned with protecting your privacy whilst browsing the net, and you are not concerned about anonymity then there may be a case for you to consider using a commercial provider – just don’t pick a UK company because they will be subject to lawful intercept requests under the IP act. Personally I’d shy away from US based companies too, (a view that is shared by PrivacyTools.io so it’s not just me). I would also only pick a provider which supports OpenVPN (or possibly SoftEther) in preference to less secure protocols such as PPTP, or L2TP. (For a comparison of the options, see this BestVPN blog post.

If you wish to use a commercial VPN provider, then I would strongly recommend that you pay for it – and check the contractual arrangements carefully to ensure that they match your requirements. I suggest this for the same reasons I recommend that you pay for an email service. You get a contract. In my view, using a free VPN service might be worse than using no VPN. Think carefully about the business model for free provision of services on the ‘net. Google is a good example of the sort of free service provider which I find problematic. Using a commercial, paid for, VPN service has the distinct advantage that the provider has a vested interest in keeping his clients’ details, and activity, private. After all, his business depends upon that. Trust is fragile and easily lost. If your business is predicated on trustworthiness then I would argue that you will (or should) work hard to maintain that trust. PrivacyTools has a good set of recommendations for VPN providers.

But what if, like me, you are still unsure about using a commercial VPN? Should you use your own setup (as I do)? Here are some things to think about.

Using a commercial VPN

For

Against

Probably easier than setting up OpenVPN on a self-managed VPS for most people. The service provider will usually offer configuration files aimed at all the most popular operating systems. In many cases you will get a “point and click” application interface which will allow you to select the country you wish to pop out in.

“Easier” does not mean “safer”. For example, the VPN provider may provide multiple users with the same private key wrapped up in its configuration files. Or the provider may not actually use OpenVPN. The provider may not offer support for YOUR chosen OS, or YOUR router. Beware in particular of “binary blob” installation of VPN software or configuration files (this applies particularly to Windows users). Unless you are technically competent (which you may not be if you are relying on this sort of installation) then you have no idea what is in that binary installation.

You get a contract (if you pay!)

That contract may not be as strong as you might wish, or it might specifically exclude some things you might wish to see covered. Check the AUP before you select your provider. You get what you pay for.

Management and maintenance of the service (e.g. software patching) is handled by the provider.

You rely on the provider to maintain a secure, up to date, fully patched service. Again, you get what you pay for.

The provider (should) take your security and privacy seriously. Their business depends on it.

The provider may hold logs, or be forced to log activity if local LE require that. They may also make simple mistakes which leak evidence of your activity (is their DNS secure?)

The VPN service is a large, attractive, juicy target for hostile activity by organised crime and/or Global Passive Adversaries such as GCHQ and NSA. Consider your threat model and act accordingly.

Your network activity is “lost” in the noise of activity of others.

But your legal and legitimate activity could provide “cover” for criminal activity of others. If this results in LEA seizure (or otherwise surveillance) of the VPN endpoint then your activity is swept up in the investigation. Are you prepared for the possible consequences of that?

You should get “unlimited” bandwidth (if you pay for it).

But you may have to trade that off for reduced access speed, particularly if you are in contention for network usage with a large number of other users

You (may) be able to set up the account completely anonymously using bitcoin.

Using a VPN provider cannot guarantee you are anonymous. All it can do is enhance your privacy. Do not rely on a VPN to hide illegal activity. (And don’t rely on Tor for that either!)

You may be able to select from a wide range of exit locations depending upon need.

You get full control over the protocol you use, the DNS servers you use, the ciphers you choose and the location(s) you pop up in.

You have to know what you are doing and you have to be comfortable in configuring the VPN software. Moreover, you need to be sure that you can actually secure the server on which you install the VPN server software as well as the client end. There is no point in having a “secure” tunnel if the end server leaks like a sieve or is subject to surveillance by the server provider – you have just shifted surveillance from the UK ISP to someone else.

It can be cheaper than using a commercial service.

It may not be. If you want to be able to pop out in different countries you will have to pay for multiple VPSs in multiple datacentres. You will also be responsible for maintaining those servers.

You can be confident that your network activity is actually private because you can enforce your own no logging policy.

No you can’t be sure. The VPS provider may log all activity. Check the privacy policy carefully. And be aware that the provider of a 3 euro a month VPS is very likely to dump you in the lap of any LEA who comes knocking on the door should you be stupid enough to use the VPN for illegal activity (or even any activity which breaches their AUP).

Also bear in mind the fact that you have no plausible deniability through hiding in a lot of other’s traffic if you are the only user of the VPN – which you paid for with your credit card.

I’ve used OpenVPN quite a lot in the past. I like it, it has a good record for privacy and security, it is relatively easy to set up, and it is well supported on a range of different devices. I have an OpenVPN endpoint on a server on the outer screened subnet which forms part of my home network so that I can connect privately to systems when I am out and about and wish my source IP to appear to be that at my home address. This can be useful when I am stuck in such places as airport lounges, internet cafes, foreign (or even domestic) hotels etc. So when the IP Act was still but a gleam in the eyes of some of our more manic lords and masters, I set up one or two more OpenVPN servers on various VPSs I have dotted about the world. In testing, I’ve found that using a standard OpenVPN setup (using UDP as the transport) has only a negligible impact on my network usage – certainly much less than using Tor.

Apart from the privacy offered by OpenVPN, particularly when properly configured to use forward secrecy as provided by TLS (see gr3t for some tips on improving security in your configuration), we can also make the tunnel difficult to block. We don’t (yet) see many blanket attempts to block VPN usage in the UK, but in some other parts of the world, notably China or reportedly the UAE for example, such activity can be common. By default OpenVPN uses UDP as the transport protocol and the server listens on port 1194. This well known port and/or protocol combination could easily be blocked at the network level. Indeed, some hotels, internet cafes and airport lounges routinely (and annoyingly) block all traffic to ports other than 80 and 443. If, however, we reconfigure OpenVPN to use TCP as the transport and listen on port 443, then its traffic becomes indistinguishable from HTTPS which makes blocking it much more difficult. There is a downside to this though. The overhead of running TCP over TCP can degrade your network experience. That said however, in my view a slightly slower connection is infinitely preferable to no connection or an unprotected connection.

In my testing, even using Tor over the OpenVPN tunnel (so that my Tor entry point appears to the Tor network to be the OpenVPN endpoint) didn’t degrade my network usage too much. This sort of Tor usage is made easier by the fact that I run my Tor client (either Tails, or Whonix) from within a virtual server instance running on one of my desktops. Thus if the desktop is connected to an OpenVPN tunnel then the Tor client is forced to use that tunnel to connect to Tor and thence the outside world.

However, this set up has a few disadvantages, not least the fact that I might forget to fire up the OpenVPN tunnel on my desktop before starting to use Tor. But the biggest problem I face in running a tunnel from my desktop is that it only protects activity /from/ that desktop. Any network connections from any of my mobile devices, my laptops, my various servers, or other network connected devices (as I said, I have lost count) or most importantly, my family’s devices, are perforce unprotected unless I can set up OpenVPN clients on them. In some cases this may be possible (my wife’s laptop for example) but it certainly isn’t ideal and in many cases (think my kid’s ‘phones for example) it is going to be completely impractical. So the obvious solution is to move the VPN tunnel entry point to my domestic router. That way, /all/ traffic to the net will be forced over the tunnel.

When thinking about this, Initially I considered using a raspberry pi as the router but my own experience of the pi’s networking capability left me wondering whether it would cope with my intended use case. The problem with the pi is that it only has one ethernet port and its broadcom chip only supports USB 2.0 connection. Internally the pi converts ethernet to USB. Since the chip is connected to four USB external ports and I would need to add a USB to ethernet conversion externally as well as USB wifi dongle in order to get the kind of connectivity I want (which includes streaming video) I fear that I might overwhelm the pi – certainly I’m pretty sure the device might become a bottleneck. However, I have /not/ tested this (yet) so I have no empirical evidence either way.

My network is already segmented in that I have a domestic ADSL router connected to my ISP and a separate, internal ethernet/WiFi only router connecting to that external router. It looks (something) like this:

Since all the devices I care most about are inbound of the internal router (and wired rather than wifi where I really care) I can treat the network between the two devices as a sacrificial screened subnet. I consider that subnet to be almost as hostile as the outside world. I could therefore add the pi to the external screened net and thus create another separate internal network which is wifi only. That wouldn’t help with my wired devices (which tend to be the ones I really worry about) but it would give me a good test network which I could use as “guest only” access to the outside world. I have commented in the past about the etiquette of allowing guests access to my network. I currently force such access over my external router so that the guests don’t get to see my internal systems. However, that means that in future they won’t get the protection offered by my VPN. That doesn’t strike me as fair so I might yet set up a pi as described (or in fact add another router, they are cheap enough).

Having discounted the pi as a possibility, then another obvious solution would be re-purpose an old linux box (I have plenty) but that would consume way more power than I need to waste and looks to be overkill so the obvious solution is to stick with the purpose built router option. Now both OpenWrt or its fork LEDE and the more controversial DD-WRT offer the possibility of custom built routers with OpenVPN client capability built in. The OpenWrt wiki has a good description of how to set up OpenVPN. The DD-WRT wiki entry somewhat is less good, but then OpenWrt/LEDE would probably be a better choice in my view anyway. I’ve used OpenWrt in the past (on an Asus WL-500g) but found it a bit flaky. Possibly that is a reflection of the router I used (fairly old, bought cheap off ebay) and I should probably try again with a more modern device. But right now it is possible to buy new, capable SOHO routers with OpenVPN capability off the shelf. A quick search for “openvpn routers” will give you devices by Asus, Linksys, Netgear, Cisco or some really interesting little devices by GL Innovations. The Gli devices actually come with OpenWRT baked in and both the GL-MT300N and the slightly better specced GL-AR300M look to be particularly useful. I leave the choice of router to you, but you should be aware that many SOHO routers have lamentably poor security out of the box and even worse security update histories. You also need to bear in mind that VPN capability is resource intensive so you should choose the device with the fastest CPU and most RAM you can afford. I personally chose an Asus device as my VPN router (and yes, it is patched to the latest level….) simply because they are being actively audited at the moment and seem to be taking security a little more seriously than some of their competitors. I may yet experiment with one of the GL devices though.

Note here that I do /not/ use the OpenVPN router as the external router connected directly to my ISP, my new router replaced my old “inside net” router. This means that whilst all the connections I really care about are tunnelled over the OpenVPN route to my endpoint (which may be in one of several European datacentres depending upon how I feel) I can still retain a connection to the outside world which is /not/ tunnelled. There are a couple of reasons for this. Firstly some devices I use actually sometimes need a UK IP presence (think streaming video from catch-up TV or BBC news for example). Secondly, I also wish to retain a separate screened sub-net to house my internal OpenVPN server (to allow me to appear to be using my home network should I so choose when I’m out and about). And of course I may occasionally just like to use an unprotected connection simply to give my ISP some “noise” for his logs….

So, having chosen the router, we now need to configure it to use OpenVPN in client mode. My router can also be configured as a server, so that it would allow incoming tunnelled connections from the outside to my network, but I don’t want that, and nor probably do you. In my case such inbound connections would in any event fail because my external router is so configured as to only allow inbound connections to a webserver and my (separate) OpenVPN server on the screened subnet. It does not permit any other inbound connections, nor does my internal router accept connections from either the outside world or the screened subnet. My internal screened OpenVPN server is configured to route traffic back out to the outside world because it is intended only for such usage.

My new internal router expects its OpenVPN configuration file to follow a specific format. I found this to be poorly documented (but that is not unusual). Here’s how mine looks (well, not exactly for obvious reasons, in particular the (empty) keys are not real, but the format is correct).

If you are using a commercial VPN service rather than your own OpenVPN endpoint, then your provider should give you configuration files much like those above. As I mentioned earlier, beware of “binary blob” non-text configurations.

If your router is anything like mine, you will need to upload the configuration file using the administrative web interface and then activate it. My router allows several different configurations to be stored so that I can vary my VPN endpoints depending on where I wish to pop up on the net. Of course this means that I have to pay for several different VPSs to run OpenVPN on, but at about 3 euros a month for a suitable server, that is not a problem. I choose providers who:

are not UK based or owned;

have AUPs which allow VPN usage (it helps if they are also Tor friendly);

have datacentre presences in more than one location (say Germany, as well as the Ukraine);

allow installation of my choice of OS;

have decent reputations for connectivity and uptime; and

are cheap.

Whilst this may appear at first sight to be problematic, there are in fact a large number of such providers dotted around Europe. Be aware, however, that many small providers are simply resellers of services provided by other, larger, companies. This can mean that whilst you appear to be using ISP “X” in, say, Bulgaria, you are actually using servers owned and managed by a major German company or at least are on networks so owned. Be careful and do your homework before signing up to a service. I have found the lowendtalk site very useful for getting leads and for researching providers. The lowendbox website is also a good starting point for finding cheap deals when you want to test your setup.

Now go take back your privacy.

Notes

Some of the sites I found useful when considering my options are listed below.

Check your IP address and the DNS servers you are using at check2ip.com

Also check whether you are leaking DNS requests outside the tunnel at ipleak.net.

psp

random

“Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.”